From 1ebf5a5fcda0c9154e22ed02404fd46525a7fd9f Mon Sep 17 00:00:00 2001 From: bossiel Date: Wed, 10 Aug 2011 22:59:15 +0000 Subject: Move deprecated v1.0 from trunk to branches --- tinyHTTP/src/auth/thttp_auth.c | 234 ++++++++++++++++++++++++++++ tinyHTTP/src/auth/thttp_challenge.c | 297 ++++++++++++++++++++++++++++++++++++ 2 files changed, 531 insertions(+) create mode 100644 tinyHTTP/src/auth/thttp_auth.c create mode 100644 tinyHTTP/src/auth/thttp_challenge.c (limited to 'tinyHTTP/src/auth') diff --git a/tinyHTTP/src/auth/thttp_auth.c b/tinyHTTP/src/auth/thttp_auth.c new file mode 100644 index 0000000..3b996ba --- /dev/null +++ b/tinyHTTP/src/auth/thttp_auth.c @@ -0,0 +1,234 @@ +/* +* Copyright (C) 2009-2010 Mamadou Diop. +* +* Contact: Mamadou Diop +* +* This file is part of Open Source Doubango Framework. +* +* DOUBANGO is free software: you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation, either version 3 of the License, or +* (at your option) any later version. +* +* DOUBANGO is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with DOUBANGO. +* +*/ +/**@file thttp_auth.c + * @brief HTTP basic/digest authetication (RFC 2617) implementations. + * + * @author Mamadou Diop + * + * @date Created: Sat Nov 8 16:54:58 2009 mdiop + */ +#include "tinyhttp/auth/thttp_auth.h" + +#include "tsk_string.h" +#include "tsk_base64.h" +#include "tsk_buffer.h" +#include "tsk_memory.h" + +#include + +/**@defgroup thttp_auth_group HTTP basic/digest authentication (RFC 2617) +*/ + +/**@ingroup thttp_auth_group + * + * Generates HTTP-basic response as per RFC 2617. + * + * @param [in,out] userid The user-id. + * @param [in,out] password The user-password. + * @param [in,out] response A pointer to the response. It will be up to the caller to free the newly allocated buffer. + * + * @return The size of the response. +**/ +tsk_size_t thttp_auth_basic_response(const char* userid, const char* password, char** response) +{ + tsk_size_t ret; + + /* RFC 2617 - 2 Basic Authentication Scheme + + To receive authorization, the client sends the userid and password, + separated by a single colon (":") character, within a base64 [7] + encoded string in the credentials. + */ + + char *res = 0; + tsk_sprintf(&res, "%s:%s", userid, password); + ret = tsk_base64_encode((const uint8_t*)res, tsk_strlen(res), response); + TSK_FREE(res); + + return ret; +} + + +/**@ingroup thttp_auth_group + * Generates digest HA1 value as per RFC 2617 subclause 3.2.2.2. + * + * + * @param [in,out] username The user's name (unquoted) in the specified @a realm. + * @param [in,out] realm The realm. (unquoted) + * @param [in,out] password The user's password. + * @param [in,out] ha1 A pointer to the result. + * + * @return Zero if succeed and non-zero error code otherwise. +**/ +int thttp_auth_digest_HA1(const char* username, const char* realm, const char* password, tsk_md5string_t* ha1) +{ + int ret; + + /* RFC 2617 - 3.2.2.2 A1 + A1 = unq(username-value) ":" unq(realm-value) ":" passwd + */ + char *a1 = 0; + tsk_sprintf(&a1, "%s:%s:%s", username, realm, password); + ret = tsk_md5compute(a1, tsk_strlen(a1), ha1); + TSK_FREE(a1); + + return ret; +} + +/**@ingroup thttp_auth_group + * + * Generates digest HA1 value for 'MD5-sess' algo as per RFC 2617 subclause 3.2.2.2. + * + * + * @param [in,out] username The user's name (unquoted) in the specified @a realm. + * @param [in,out] realm The realm (unquoted). + * @param [in,out] password The user's password. + * @param [in,out] nonce The nonce (unquoted). + * @param [in,out] cnonce The client nonce (unquoted). + * @param [in,out] ha1sess A pointer to the result. + * + * @return Zero if succeed and non-zero error code otherwise. +**/ +int thttp_auth_digest_HA1sess(const char* username, const char* realm, const char* password, const char* nonce, const char* cnonce, tsk_md5string_t* ha1sess) +{ + int ret; + + /* RFC 2617 - 3.2.2.2 A1 + A1 = H( unq(username-value) ":" unq(realm-value) + ":" passwd ) + ":" unq(nonce-value) ":" unq(cnonce-value) + */ + + char *a1sess = 0; + tsk_sprintf(&a1sess, "%s:%s:%s:%s:%s", username, realm, password, nonce, cnonce); + ret = tsk_md5compute(a1sess, tsk_strlen(a1sess), ha1sess); + TSK_FREE(a1sess); + + return ret; +} + +/**@ingroup thttp_auth_group + * Generates digest HA2 value as per RFC 2617 subclause 3.2.2.3. + * + * + * @param [in,out] method The HTTP/SIP method name. + * @param [in,out] url The HTTP URL or SIP URI of the request. + * @param [in,out] entity_body The entity body. + * @param [in,out] qop The Quality Of Protection. + * @param [in,out] ha2 A pointer to the response. + * + * @return Zero if succeed and non-zero error code otherwise. +**/ +int thttp_auth_digest_HA2(const char* method, const char* url, const tsk_buffer_t* entity_body, const char* qop, tsk_md5string_t* ha2) +{ + int ret; + /* RFC 2617 - 3.2.2.3 A2 + + If the "qop" directive's value is "auth" or is unspecified, then A2 + is: + A2 = Method ":" digest-url-value + + If the "qop" value is "auth-int", then A2 is: + A2 = Method ":" digest-url-value ":" H(entity-body) + */ + + char *a2 = 0; + + if(!qop || tsk_strempty(qop) || tsk_striequals(qop, "auth")){ + tsk_sprintf(&a2, "%s:%s", method, url); + } + else if(tsk_striequals(qop, "auth-int")) + { + if(entity_body && entity_body->data){ + tsk_md5string_t hEntity; + if((ret = tsk_md5compute(entity_body->data, entity_body->size, &hEntity))){ + goto bail; + } + tsk_sprintf(&a2, "%s:%s:%s", method, url, hEntity); + } + else{ + tsk_sprintf(&a2, "%s:%s:%s", method, url, TSK_MD5_EMPTY); + } + } + + ret = tsk_md5compute(a2, tsk_strlen(a2), ha2); + +bail: + TSK_FREE(a2); + + return ret; +} + + +/**@ingroup thttp_auth_group + * + * Generates HTTP digest response as per RFC 2617 subclause 3.2.2.1. + * + * @param [in,out] ha1 HA1 string generated using @ref thttp_auth_digest_HA1 or @ref thttp_auth_digest_HA1sess. + * @param [in,out] nonce The nonce value. + * @param [in,out] noncecount The nonce count. + * @param [in,out] cnonce The client nounce (unquoted). + * @param [in,out] qop The Quality Of Protection (unquoted). + * @param [in,out] ha2 HA2 string generated using @ref thttp_auth_digest_HA2. + * @param [in,out] response A pointer to the response. + * + * @return Zero if succeed and non-zero error code otherwise. +**/ +int thttp_auth_digest_response(const tsk_md5string_t *ha1, const char* nonce, const nonce_count_t noncecount, const char* cnonce, + const char* qop, const tsk_md5string_t* ha2, tsk_md5string_t* response) +{ + int ret; + + /* RFC 2617 3.2.2.1 Request-Digest + + ============ CASE 1 ============ + If the "qop" value is "auth" or "auth-int": + request-digest = <"> < KD ( H(A1), unq(nonce-value) + ":" nc-value + ":" unq(cnonce-value) + ":" unq(qop-value) + ":" H(A2) + ) <"> + ============ CASE 2 ============ + If the "qop" directive is not present (this construction is for + compatibility with RFC 2069): + request-digest = + <"> < KD ( H(A1), unq(nonce-value) ":" H(A2) ) > + <"> + */ + + char *res = 0; + + if(tsk_striequals(qop, "auth") || tsk_striequals(qop, "auth-int")){ + /* CASE 1 */ + tsk_sprintf(&res, "%s:%s:%s:%s:%s:%s", *ha1, nonce, noncecount, cnonce, qop, *ha2); + } + else{ + /* CASE 2 */ + tsk_sprintf(&res, "%s:%s:%s", *ha1, nonce, *ha2); + } + + ret = tsk_md5compute(res, tsk_strlen(res), response); + TSK_FREE(res); + + return ret; +} diff --git a/tinyHTTP/src/auth/thttp_challenge.c b/tinyHTTP/src/auth/thttp_challenge.c new file mode 100644 index 0000000..bf0e184 --- /dev/null +++ b/tinyHTTP/src/auth/thttp_challenge.c @@ -0,0 +1,297 @@ +/* +* Copyright (C) 2009-2010 Mamadou Diop. +* +* Contact: Mamadou Diop +* +* This file is part of Open Source Doubango Framework. +* +* DOUBANGO is free software: you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation, either version 3 of the License, or +* (at your option) any later version. +* +* DOUBANGO is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with DOUBANGO. +* +*/ + +/**@file thttp_challenge.c + * @brief HTTP authentication challenge. + * + * @author Mamadou Diop + * + * @date Created: Sat Nov 8 16:54:58 2009 mdiop + */ +#include "tinyhttp/auth/thttp_challenge.h" + +#include "thttp.h" + +#include "tinyhttp/headers/thttp_header_Authorization.h" + +#include "tsk_string.h" +#include "tsk_debug.h" +#include "tsk_memory.h" +#include "tsk_base64.h" +#include "tsk_hmac.h" + +#include + +#define THTTP_CHALLENGE_IS_DIGEST(self) ((self) ? tsk_striequals((self)->scheme, "Digest") : tsk_false) +#define THTTP_CHALLENGE_IS_BASIC(self) ((self) ? tsk_striequals((self)->scheme, "Basic") : tsk_false) +#define THTTP_CHALLENGE_IS_AKAv1(self) ((self) ? tsk_striequals((self)->algorithm, "AKAv1-MD5") : tsk_false) +#define THTTP_CHALLENGE_IS_AKAv2(self) ((self) ? tsk_striequals((self)->algorithm, "AKAv2-MD5") : tsk_false) + +thttp_challenge_t* thttp_challenge_create(tsk_bool_t isproxy,const char* scheme, const char* realm, const char* nonce, const char* opaque, const char* algorithm, const char* qop) +{ + return tsk_object_new(thttp_challenge_def_t, isproxy, scheme, realm, nonce, opaque, algorithm, qop); +} + +int thttp_challenge_reset_cnonce(thttp_challenge_t *self) +{ + if(self) + { + if(self->qop) /* client nonce is only used if qop=auth, auth-int or both */ + { +#if 0 + memcpy(self->cnonce, "f221681c1e42fb5f8f9957bf7e72eb2b", 32); +#else + tsk_istr_t istr; + + tsk_strrandom(&istr); + tsk_md5compute(istr, tsk_strlen(istr), &self->cnonce); +#endif + self->nc = 1; + } + } + return -1; +} + +int thttp_challenge_get_digest_response(thttp_challenge_t *self, const char* username, const char* password, const char* method, const char* uristring, const tsk_buffer_t* entity_body, char** response) +{ + if(THTTP_CHALLENGE_IS_DIGEST(self)){ + tsk_md5string_t ha1, ha2, md5_response; + nonce_count_t nc; + + /* === + Calculate HA1 = MD5(A1) = M5(username:realm:secret) + */ + thttp_auth_digest_HA1(username, self->realm, password, &ha1); + + /* === + HA2 + */ + thttp_auth_digest_HA2(method, + uristring, + entity_body, + self->qop, + &ha2); + + /* RESPONSE */ + if(self->nc){ + THTTP_NCOUNT_2_STRING(self->nc, nc); + } + thttp_auth_digest_response((const tsk_md5string_t *)&ha1, + self->nonce, + nc, + self->cnonce, + self->qop, + (const tsk_md5string_t *)&ha2, + &md5_response); + + if(self->qop){ + self->nc++; + } + if(response && !*response){ + *response = tsk_strdup(md5_response); + } + + return 0; + } + return -1; +} + +int thttp_challenge_update(thttp_challenge_t *self, const char* scheme, const char* realm, const char* nonce, const char* opaque, const char* algorithm, const char* qop) +{ + if(self) + { + int noncechanged = !tsk_striequals(self->nonce, nonce); + + tsk_strupdate(&self->scheme, scheme); + tsk_strupdate(&self->realm, realm); + tsk_strupdate(&self->nonce, nonce); + tsk_strupdate(&self->opaque, opaque); + tsk_strupdate(&self->algorithm, algorithm); + if(qop){ + self->qop = tsk_strcontains(qop, tsk_strlen(qop), "auth-int") ? "auth-int" : + (tsk_strcontains(qop, tsk_strlen(qop), "auth") ? "auth" : tsk_null); + } + + if(noncechanged && self->qop){ + thttp_challenge_reset_cnonce(self); + } + return 0; + } + return -1; +} + +thttp_header_t *thttp_challenge_create_header_authorization(thttp_challenge_t *self, const char* username, const char* password, const thttp_request_t *request) +{ + char* response = tsk_null; + tsk_size_t response_size = 0; + nonce_count_t nc; + char *uristring = tsk_null; + thttp_header_t *header = 0; + + if(!self || !request || !request->line.request.url){ + goto bail; + } + + /* Sets URI: hpath do not start with / ==> append a '/'*/ + tsk_sprintf(&uristring, "/%s", request->line.request.url->hpath ? request->line.request.url->hpath : ""); + + /* We compute the nc here because @ref thttp_challenge_get_response function will increment it's value. */ + if(self->nc){ + THTTP_NCOUNT_2_STRING(self->nc, nc); + } + + /* Computes the response (Basic and Digest)*/ + if(THTTP_CHALLENGE_IS_DIGEST(self)){ + if(thttp_challenge_get_digest_response(self, username, password, request->line.request.method, uristring, request->Content, &response)){ + goto bail; + } + response_size = (TSK_MD5_DIGEST_SIZE*2); + } + else if(THTTP_CHALLENGE_IS_BASIC(self)){ + response_size = thttp_auth_basic_response(username, password, &response); + } + else{ + TSK_DEBUG_ERROR("%s not supported as scheme.", self->scheme); + goto bail; + } + + +#define THTTP_AUTH_COPY_VALUES(hdr) \ + hdr->username = tsk_strdup(username); \ + hdr->scheme = tsk_strdup(self->scheme); \ + hdr->realm = tsk_strdup(self->realm); \ + hdr->nonce = tsk_strdup(self->nonce); \ + hdr->qop = tsk_strdup(self->qop); \ + hdr->opaque = tsk_strdup(self->opaque); \ + hdr->algorithm = self->algorithm ? tsk_strdup(self->algorithm) : tsk_strdup("MD5"); \ + hdr->cnonce = self->nc? tsk_strdup(self->cnonce) : 0; \ + hdr->uri = tsk_strdup(uristring); \ + hdr->nc = self->nc? tsk_strdup(nc) : 0; \ + hdr->response = tsk_strndup(response, response_size); \ + + if(self->isproxy){ + thttp_header_Proxy_Authorization_t *proxy_auth = thttp_header_authorization_create(); // Very bad way to create Proxy_auth header. + THTTP_HEADER(proxy_auth)->type = thttp_htype_Proxy_Authorization; + + THTTP_AUTH_COPY_VALUES(proxy_auth); + header = THTTP_HEADER(proxy_auth); + } + else{ + thttp_header_Authorization_t *auth = thttp_header_authorization_create(); + THTTP_AUTH_COPY_VALUES(auth); + header = THTTP_HEADER(auth); + } + +bail: + TSK_FREE(uristring); + TSK_FREE(response); + + return header; + +#undef THTTP_AUTH_COPY_VALUES +} + + + + + + + + + + + + + + + + + + + + + + + + +//======================================================== +// HTTP challenge object definition +// + +/**@ingroup thttp_challenge_group +*/ +static tsk_object_t* thttp_challenge_ctor(tsk_object_t *self, va_list * app) +{ + thttp_challenge_t *challenge = self; + if(challenge){ + const char* qop; + + challenge->isproxy = va_arg(*app, tsk_bool_t); + challenge->scheme = tsk_strdup(va_arg(*app, const char*)); + challenge->realm = tsk_strdup(va_arg(*app, const char*)); + challenge->nonce = tsk_strdup(va_arg(*app, const char*)); + challenge->opaque = tsk_strdup(va_arg(*app, const char*)); + challenge->algorithm = tsk_strdup(va_arg(*app, const char*)); + qop = va_arg(*app, const char*); + if(qop){ + challenge->qop = tsk_strcontains(qop, tsk_strlen(qop), "auth-int") ? "auth-int" : + (tsk_strcontains(qop, tsk_strlen(qop), "auth") ? "auth" : tsk_null); + } + + if(challenge->qop){ + thttp_challenge_reset_cnonce(challenge); + } + } + else TSK_DEBUG_ERROR("Failed to create new http challenge object."); + + return self; +} + +/**@ingroup thttp_challenge_group +*/ +static tsk_object_t* thttp_challenge_dtor(tsk_object_t *self) +{ + thttp_challenge_t *challenge = self; + if(challenge){ + TSK_FREE(challenge->scheme); + TSK_FREE(challenge->realm); + TSK_FREE(challenge->nonce); + TSK_FREE(challenge->opaque); + TSK_FREE(challenge->algorithm); + + //TSK_FREE(challenge->qop); + } + else{ + TSK_DEBUG_ERROR("Null HTTP challenge object."); + } + + return self; +} + +static const tsk_object_def_t thttp_challenge_def_s = +{ + sizeof(thttp_challenge_t), + thttp_challenge_ctor, + thttp_challenge_dtor, + tsk_null +}; +const tsk_object_def_t *thttp_challenge_def_t = &thttp_challenge_def_s; -- cgit v1.1